actions/runner-images
1
0
Fork 0
mirror of https://github.com/actions/runner-images.git synced 2025-12-26 19:38:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7afeca2a812e77b340aa755da2b47718ab970990
runner-images/.github/workflows/create_sbom_report.yml

113 lines
4.4 KiB
YAML
Raw Blame History

name: Create SBOM for the release
run-name: Collecting SBOM for ${{ github.event.client_payload.agentSpec || 'unknown image' }} - ${{ github.event.client_payload.imageVersion || 'unknown version' }}
on:
repository_dispatch:
types: [generate-sbom]
defaults:
run:
shell: pwsh
jobs:
sbom-check:
outputs:
check_status: ${{ steps.check.outputs.status }}
runs-on: ubuntu-latest
env:
RELEASE_ID: ${{ github.event.client_payload.ReleaseID }}
steps:
- name: Check SBOM asset for release ${{ env.RELEASE_ID }}
id: check
shell: pwsh
run: |
$apiUrl = "https://api.github.com/repos/actions/runner-images/releases/$env:RELEASE_ID"
$response = Invoke-RestMethod -Uri $apiUrl -Method Get -SkipHttpErrorCheck
if ($response.message -ilike "Not Found") {
echo "status=release_not_found" >> $env:GITHUB_OUTPUT
Write-Error "Release $env:RELEASE_ID wasn't found"
exit 1
}
foreach ($asset in $response.assets) {
if ($asset.name -like '*sbom*') {
echo "status=sbom_exists" >> $env:GITHUB_OUTPUT
return "Release $env:RELEASE_ID already contains a SBOM"
}
}
Write-Host "Release has been found, SBOM is not attached, starting generation."
echo "status=okay" >> $env:GITHUB_OUTPUT
building-sbom:
needs: sbom-check
if: ${{ needs.sbom-check.outputs.check_status == 'okay' }}
runs-on: ${{ github.event.client_payload.agentSpec }}
env:
AGENT_SPEC: ${{ github.event.client_payload.agentSpec }}
RELEASE_ID: ${{ github.event.client_payload.ReleaseID }}
IMAGE_VERSION: ${{ github.event.client_payload.imageVersion }}
steps:
- name: Available image version check
run: |
$expectedVersion = $env:IMAGE_VERSION
$runnerVersion = $env:ImageVersion
# Split versions by dot
$expectedParts = $expectedVersion.Split('.')
$runnerParts = $runnerVersion.Split('.')
# Determine what parts to compare
$minLength = [Math]::Min($expectedParts.Length, $runnerParts.Length)
$expectedComparable = $expectedParts[0..($minLength-1)] -join '.'
$runnerComparable = $runnerParts[0..($minLength-1)] -join '.'
# Perform the comparison
if ($expectedComparable -ne $runnerComparable) {
throw "Version mismatch: Expected version '$expectedVersion' doesn't match runner version '$runnerVersion'"
}
- name: Install SYFT tool on Windows
if: ${{ runner.os == 'Windows' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b C:/syft
- name: Install SYFT tool on Ubuntu
if: ${{ runner.os == 'Linux' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install SYFT v1.24.0 on macOS
if: ${{ runner.os == 'macOS' }}
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.24.0
- name: Run SYFT on Windows
if: ${{ runner.os == 'Windows' }}
run: C:/syft/syft dir:C:/ -vv -o spdx-json=sbom.json
- name: Run SYFT on Ubuntu
if: ${{ runner.os == 'Linux' }}
run: syft dir:/ -vv -o spdx-json=sbom.json
- name: Run SYFT on macOS
if: ${{ runner.os == 'macOS' }}
# Skip protected folders to avoid prompt privileges that block process indefinitely (https://github.com/anchore/syft/issues/1367)
run: sudo syft dir:/ -vv -o spdx-json=sbom.json --exclude ./Users --exclude ./System/Volumes --exclude ./private
shell: bash
- name: Compress SBOM file
run: Compress-Archive sbom.json sbom.json.zip
- uses: actions/upload-artifact@v4
with:
name: sbom-${{ env.AGENT_SPEC }}-${{ env.IMAGE_VERSION }}
path: sbom.json.zip
if-no-files-found: warn
- name: Upload release asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: "https://uploads.github.com/repos/actions/runner-images/releases/${{ env.RELEASE_ID }}/assets{?name,label}"
asset_path: ./sbom.json.zip
asset_name: sbom.${{ env.AGENT_SPEC }}.json.zip
asset_content_type: application/zip
Reference in New Issue View Git Blame Copy Permalink